Solved

Anonymous Access - Is it safe?

Posted on 2014-02-05
7
340 Views
Last Modified: 2014-02-11
I'm involved in a debate over the safety of allowing internal anonymous (read only) access to a SharePoint 2010 (Enterprise) WCM site.

They have 2 main SharePoint areas, one WCM and the other Collaboration. SharePoint is only accessible within the company network. Authentication is NTLM against 3 trusted domains. Due to corporate aquisitions there are a few hundred employees currently on non-trusted domains.

It's been proposed that we enable anonymous access on the WCM site so all employees can see company announcements. However there's a big push-back against this for 'security reasons'. Nothing specific, just a feeling that opening access somehow opens the collaboration site and other data to attack.

(I will also mention, Federated Services has been considered as an alternative access method for our extra users, but the hardware and configuration requirements are very tight for our timescales.)

Considering that access is only possible from within the company network, there is intrusion detection software configured on all requests to SharePoint, access is read only etc, am I missing something? Should anonymous access to non-sensitive data (admittedly in the same farm as sensitive data) be of major concern to anyone?
0
Comment
Question by:Jamie McAllister MVP
  • 4
  • 2
7 Comments
 
LVL 16

Expert Comment

by:Walter Curtis
ID: 39836756
Anonymous access is very useful in the situation your describe. The biggest danger is human error. If for example some creates a site collection that inherits the anonymous access and it is not explicit disabled, then data could be exposed. Consider creating an additional web application where anonymous access is enable and have all other data in a web app that has anonymous disabled and you lower the risk of an error. I have done that on several occasions and it has worked well.

Hope that helps
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39838192
I would suggest to configure access for Authenticated users instead of Anonymous. if not, there are certain groups like domain users which you can use where all the users from domain are member of that group, you can configure access for this group in each domain as a work around.
0
 
LVL 31

Author Comment

by:Jamie McAllister MVP
ID: 39838404
Can anyone tell me an absolute show-stopper for Anonymous access within our network?

Or alternatively an absolute assurance that Anonymous is fine in the scenario I described?

At the moment I need to feed into the decision for a go/no go on anonymous access.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39838410
It is fine but your security team may not approve or might be an issue in audits.
0
 
LVL 31

Author Comment

by:Jamie McAllister MVP
ID: 39838531
What specific grounds might they not approve on if it is safe?
0
 
LVL 31

Accepted Solution

by:
Jamie McAllister MVP earned 0 total points
ID: 39838748
Spencer Harbar was kind enough to provide some input to this debate on a private forum. I can't cross post the text in full but a summary of the advice is this;

Such content should always be authenticated. Factors such as the content being on the Internal Network, or having IDS in place do not influence the risk management. Having ACL in place would significantly reduce the risk of outages from malicious intent.

Suggested approach is creating accounts for all users, opening up the WCM site to All Authenticated Users if necessary, but always having ACL in place.

Thanks for your input on the question.
0
 
LVL 31

Author Closing Comment

by:Jamie McAllister MVP
ID: 39849632
Spencer Harbar advised against Anonymous Access.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question